I'm looking for a spreadsheet/template that allows the business-rules (i.e. 'who has access to what') to be mapped, visualized and analyzed.

In the past I have created a couple of these (some even with automation using the O2 Platform), but NDAs prevented me from sharing. So while helping with a set of Python scripts to test TeamMentor's WebServices, I took the time to create a model which I think came out quite well.

You can read about it here: Creating a spreadsheet with WebService's Authorization Mappings and this is what it looks like:

Since I'm going to integrate this with O2 next, it is easier to change it into a better format/standard now (vs later).

I also think that we should have a couple of these templates in an easy to consume format on the OWASP Wiki (I have lost count the amount of times that I have tried to explain the need for 'such authorization tables/mappings' without having good examples at hand).

Note that creating these mappings is just one part of the puzzle! Also as important is the ability to keep it well maintained, up-to-date and relevant.

Oh uggh! It's an interesting problem, as some of the bigger LDAP providers (that's you AD!) don't even recognize services as securables and IMHO they really should - IFF you have the ability to use some standardized LDAP provider for role management, then you can trawl a lot of vendor offerings for tools to help you in this - bottom line is don't roll your own authorization, try and piggyback onto an existing LDAP provider where you can set up OUs, groups, etc to handle this for you and then use standard tool chains to monitor/report this
One other point - try and create the tables people refer to at the time they demand them, don't store stale copies - people come and go, apps come and go, authorizations change